For those not in the know, that vulnerability cat-and-mouse game goes like this: IT teams race to test and apply newly released, critical updates to software and systems - under cover of mitigating or compensating controls - before hackers create and field working exploits for the flaws the patches fix.

Such efforts continue nonstop. Risk Based Security's VulnDB team, for example, counted 11,092 newly disclosed vulnerabilities during the first half of 2019. Public exploits existed for 34 percent of those flaws, 53 percent of all of the vulnerabilities could be exploited remotely and nearly 5 percent of all of the bugs also affected security software.

Some weeks are worse than others. The U.S. Cybersecurity and Infrastructure Security Agency, in its vulnerability summary for the week of Aug. 19, released Aug. 26, described nearly 600 new vulnerabilities, or about 20 percent more than in the average week. Flaws included 49 serious vulnerabilities in software developed by Adobe, Google Android, IBM as well as for WordPress, plus 170 medium-severity flaws, eight low-severity flaws and 360 vulnerabilities for which no severity had yet been assigned.

Risk-Management Challenge

Security experts warn that patch management, or the larger question of vulnerability management, must be part of a much bigger-picture approach to managing risk.

"I don't see much written on vulnerability management in more holistic terms versus patch/bug fixing," says Phil Venables, a board director and senior adviser for risk and cybersecurity at Goldman Sachs Bank, via Twitter. "I've always found it immensely useful to think of vulnerability management as four layers, building on each other and in turn becoming more powerful as a risk mitigation approach."

Here are his four layers of vulnerability management:

Basics: Ensure the vulnerability management team has complete coverage of the organization and that it ranks the criticality of each flaw and also maps all system dependencies.

Components: Discover and remediate component flaws. This is the most well-known component of vulnerability management.

Configuration: Discover and remediate configuration flaws.

Architecture: The highest layer involves "architectural goal enumeration and enforcement," he says. This includes identifying necessary constraints, such as "developing rules for what potentially toxic arrangements of components should never exist," and then ensuring that the vulnerability management team is tasked with monitoring for these continuously. Likewise, such a program should identify obligations, including "developing default architectural/design patterns for the deployment of common services and then monitoring for adherence to those," as well as enforcing their use throughout the software development life cycle.

Failing to patch the right system at the right time - or to otherwise mitigate flaws - can have massive repercussions. Equifax, for example, instructed all IT personnel to ensure they'd installed a critical patch for all Apache Struts implementations, but then failed to confirm that all Struts systems had actually been patched. In the interim, attackers quickly infiltrated its systems, installing 30 web shells for remote access and exfiltrating massive quantities of data (see: Equifax Breach 'Entirely Preventable,' House Report Finds).

As Venables has also noted, many security incidents "are not due to a lack of conception of controls but due to failures of expected controls," which may include patch management. As a result, he says controls must be continuous monitored and validated, with any failures being treated as security incidents themselves.

Start Here: 'Do We Have It?'

Organizations can't patch what they don't know about. Conversely, they can't make a well-calculated decision about what to fix first - or temporarily postpone fixing - as well as what they can safely ignore.

His vulnerability management team learns to dream the following questions in their sleep, he says: Do we have it? Are we running it? Where is it? Is it vulnerable? From whom/what/where is it exploitable? What's the loss exposure? Do we care? What do we need to do if we do? Is it isolated/systemic/architectural and is there a design pattern we can use to prevent it?

Patching Lags

Despite such guidance, the failure to rapidly patch systems is widespread, based on the number of vulnerable systems that remain.

My version: "do we have it, are we running it, where is it, is it vulnerable, from whom/what/where, is it exploitable, what's the loss exposure, do we care, what do we need to do if we do, is it isolated/systemic/architectural & is there a design pattern we can use to prevent it? https://t.co/K2ZD5BBefy

In recent weeks, for example, warnings have intensified over the many unpatched SSL VPNs manufactured by Pulse Secure and Fortinet. Security experts say attackers have been running large-scale scans to identify machines that have yet to be updated with patches released in April and May. Attackers can exploit the flaws to steal data, including passwords, and obtain unauthenticated, remote access to enterprise networks (see: Chinese APT Group Began Targeting SSL VPN Flaws in July).

Waiting for BlueKeep Attacks

On May 14, Microsoft pushed patches for the vulnerability (CVE-2019-0708) that attackers can exploit to compromise Remote Desktop Services in Windows and gain full, remote access to a system, including full administrator privileges and the ability to execute arbitrary code. Last month, Microsoft warned that BlueKeep exploit code is in the wild. But many organizations have been slow to patch.

"Patching, or rather good cyber hygiene, is an integral component of every company's defense against cyberattacks," Raj Samani, chief scientist at McAfee, recently told Information Security Media Group.

The number of systems that have yet to receive the RDP patch that safeguards against BlueKeep attacks "shows that the fundamentals of good cyber hygiene remain overlooked for so many companies," he said.

Many CIOs and CISOs, however, have for years been trying to tackle the patch, vulnerability and risk management challenges, only to see them continue to grow more complex.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.